Computer networks, particularly those with global reach such as the Internet, have greatly influenced the way that individuals, companies and institutions conduct transactions, and store and retrieve documents, images, music, and video. Convenience, ease of use, speed, and low overhead costs are contributing factors to the widespread use of the Internet for purchasing goods as well as conducting confidential transactions. Entire industries have emerged as a result of the evolution of the Internet.
Secure access to computer systems and computer networks has been traditionally guarded with a username and password pair. This requires the user to protect the username and password from unauthorized use. If the username and password are not protected, accounts and files can be compromised. Unfortunately, a number of rogue individuals and organizations have emerged that are dedicated to fraudulently obtaining confidential information for unauthorized or criminal activities.
A pervasive tool used in obtaining confidential information is keystroke-logging software, which constitutes a software program that can anonymously and secretly monitor and record keystrokes entered by a user on his or her computer. Such software often comprises the payload of viruses, worms, Trojan horses, and other forms of malware. Keystroke-logging software can reveal what a user is typing on a computer without the user's knowledge of this event occurring.
Companies and institutions routinely use keystroke-logging software to monitor employee activity. Also, families may use these types of programs to monitor children's online activities. The widespread availability of this type of software, however, has led to unauthorized or criminal use, resulting in the alarming rate of identity theft seen throughout the world.
Prime targets for these attacks are financial institutions, as more and more consumers and businesses use electronic methods for purchasing and making payments. The trend is clearly in favor of electronic transactions, providing a wider field for identity theft.
Login information may also be “heard” by sophisticated analysis of the distinct sounds made by different keys. An inexpensive microphone near a keyboard can reveal most of what is being typed with a surprising degree of accuracy. Login information is also vulnerable to simple spying or “shoulder-surfing,” as a person with malicious intent watches an unsuspecting user sign into his or her account.
Additional security mechanisms are necessary in addition to the username/password paradigm to provide stronger identity authentication. There have been various other attempts to do so. The ability to enhance identify authentication also helps to prevent so-called “phishing” activities on the part of unscrupulous and criminals persons and/or organizations.
In computing, phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. EBay, PayPal and online banks are common targets. Phishing is typically carried out by email or instant messaging, and often directs users to enter details at a website, although phone contact has also been used. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical measures.
A number of attempts to authorize secure transactions have been implemented. One prior art example of such an attempt is disclosed in U.S. Patent Application Publication No. 20050140497 to Chiviendacz et al, entitled “Method and Apparatus for Securely Providing Identification Information Using Translucent Identification Member With Filter” which published on Jun. 30, 2005, discloses a translucent credit card that can be placed over a login screen with what appears to be random characters. When the credit card is placed over the login screen, a login ID can be derived and typed into a text entry field. The punched holes in the credit card reveal the correct ID for a given user.
Another prior art example is the well-known RSA SecurID authentication mechanism, which consists of a “token”—a piece of hardware (e.g. a token or USB) or software (e.g. a “soft token” for a PDA or cell phone) assigned to a computer user that generates an authentication code at fixed intervals (usually 30 or 60 seconds) using a built-in clock and the card's factory-encoded random key (known as the “seed” and often provided as a *.asc file). The seed is different for each token, and is loaded into a corresponding RSA SecurID server as the tokens are purchased.
RSA SecurID token hardware is designed to be tamper-resistant to deter reverse engineering of the token. Despite deterrent, however, public coding has been developed by the security community allowing a user to emulate RSA SecurID in software, but only if they have access to a current RSA SecurID code, and the original RSA SecurID seed file introduced to the server.
A user authenticating to a network resource (e.g., a dial-in server or a firewall) needs to enter both a personal identification number and the number being displayed at that moment on their RSA SecurID token. Some systems using RSA SecurID disregard PIN implementation altogether, and rely on password/RSA SecurID code combinations. The server, which also has a real-time clock and a database of valid cards with the associated seed records, computes what number the token is supposed to be showing at that moment in time, checks it against what the user entered, and makes the decision to allow or deny access.
The RSA SecurID device thus generates a new random number every minute which is used as a password. In addition to the physical key fob this solution requires client software to be installed on a user's PC. The RSA SecurID implementation, however, can be expensive, especially if thousands of end users are supported.
A further prior art authentication example includes the use of “Paper Key Cards” in which a new password is read from a preprinted key card, or list of passwords. Such an approach requires that new printed key cards are distributed to the users on a regular basis. If the distribution is not secure (e.g., such as mail) then this presents additional security concerns. The user enters a user ID followed by the next unused password on the keycard.
One of the primary drawbacks with these examples of prior art authentication approaches is that they fail to offer full protection against a phishing site. A fake (phishing) site could have obtained the sufficient password information from the above three methods to immediately log in to the users account. What is needed to overcome the problems associated with such prior art techniques is a novel approach that can provide both a pass code and a mechanism to defeat phishing.